No one's safe from hackers -- not even LastPass, a company that stores people's passwords.
LastPass lets people store passwords online so they can access them all with a single master password.On Monday, LastPass announced that hackers broke into its computer system and got access to user email addresses, password reminders, and encrypted versions of people's master passwords.
So keeping all your passwords in a single place on the Internet might not be such a great idea.
LastPass said it discovered the digital break-in on Friday. It's still very early in its investigation, but if LastPass is right, hackers didn't manage to grab plain text versions of the all-powerful master passwords.
Still, hackers grabbed encoded versions of people's passwords. But if your master password is simple and common, like Password123, these hackers can crack it in no time. Hackers can also easily rent out computer servers and use computing power to decipher all the others.
"Attackers seem to have all they need to start brute-forcing master passwords," said Tod Beardsely, a research manager at cybersecurity firm Rapid7.
Hackers also grabbed user password reminders. So, you're out of luck if your question is something like, "Where were you born?" Anyone can figure that out using public records or social media accounts.
The potential damage here? Identity thieves might suddenly have access to important information such as email accounts, social media, banks, hospital records -- everything.
Cybersecurity experts reacted strongly to the news. For months, many of them have touted LastPass and similar services as an elegant solution to one of today's annoying problems of keeping track of multiple passwords.
Keeping the same password is reckless and remembering dozens is annoying. This third option relies entirely on trusting a company to protect them.
This hack reveals the flaw in that option.
"The recommended standard best practice is to use a password manager. It's the best way to deal with the tragedy of passwords," said Jon Oberheide, an executive at cybersecurity firm Duo Security.
Oberheide said he uses a password manager himself. There's a caveat, though. Oberheide doesn't use it for his critical accounts like Gmail or online banking.
In a blog post, LastPass urged users to quickly change their master passwords. And as every hacked company does, it assured users "security and privacy are our top concerns here at LastPass."
David Longenecker, an independent cybersecurity expert in Texas, complained that LastPass posted a public blog post about the incident before warning its users to change their passwords.
"I would have preferred getting the PSA to change password from you, versus through the grapevine," he wrote publicly to the company on Twitter (TWTR, Tech30).
As always, in this latest password database theft the only people who are protected are those who set up an extra security feature: two-step authentication, which requires a text message as a second passcode.
http://money.cnn.com/2015/06/15/technology/lastpass-password-hack/index.html
An unconfirmed but persistent rumor: the ATF's machine gun registry was hacked about the same time frame and by the same people as the OPM attack.
The news about the OPM hack by the ChiComs just keeps getting worse: "China’s Hack Just Wrecked American Espionage."
In addition, this writer has been trying for the past week to follow up on persistent rumors that the ATF's national machine gun registry, the NFRTR (National Firearm Registration and Transfer Record) was hacked at about the same time and the entire record downloaded by the same people as the OPM attack.
I'm getting as many denials as I am positives from what sources I can get to talk to me about this, and at the moment I rate the story as no better than a "50 percenter." Maybe it is true and maybe it isn't. But if it is true . . .
The Chinese Communists now have a list of the names and addresses of every single owner of a full-auto weapon in the country. A more powerful argument against national registration of firearms of any kind could not be made. Presumably if the ChiComs can carry off such a hack, any reasonably sophisticated criminal gang these days could accomplish the same thing.
One source I talked to joked that he hoped the Chinese understood that the NFRTR was so shot full of errors and so frequently "tweaked" by the ATF contrary to law that they couldn't reliably use it as a template for prosecutions after some future "Red Dawn." But then he admitted that prosecutions probably weren't what they had in mind for such information in the first place, Chinese "justice" being a bit more sudden than that.
Keep your eyes on these pages, dear readers, and I will either confirm or debunk this persistent rumor when I can.
No comments:
Post a Comment